Last-Minute Budget Bill Allows New Privacy-Invading Surveillance in the Name of Cybersecurity

In the wake of a series of humiliating cyberattacks, the imperative in Congress and the White House to do something — anything — in the name of improving cybersecurity was powerful.

But only the most cynical observers thought the results would be this bad.

The legislation the House passed on Friday morning is a thinly disguised surveillance bill that would give companies pathways they don’t need to share user data related to cyberthreats with the government — while allowing the government to use that information for any purpose, with almost no privacy protections.

Because Speaker of the House Paul Ryan slipped the provision into the massive government omnibus spending bill that had to pass — or else the entire government would have shut down — it was doomed to become law. (This post has been updated to reflect the vote, which was 316 to 113.)

The text of the bill — now known as the Cybersecurity Act of 2015, formerly known as CISA — wasn’t released until shortly after midnight Wednesday morning, giving members of Congress essentially no time to do anything about it.

The bill removes a restriction on direct information sharing with the National Security Agency and the Pentagon; eliminates a restriction on the government’s use of that information for surveillance activities; allows law enforcement to use the information to prosecute any and all crimes; and leaves it up to the individual agencies to scrub personally identifying information when they feel like it.

“If someone hacks a health insurance company like Blue Cross/Blue Shield, and they get scared and hand over all the medical records that were exposed in the hack, the NSA could share those records with the DEA, who could use them in ongoing investigations that have nothing to do with cybersecurity or terrorism,” wrote Evan Greer, campaign director for Fight for the Future, a digital rights advocacy group.

The House Homeland Security Committee chaired by Rep. McCaul, R-Texas, had proposed a series of privacy protections from a previous House version of the cyber bill, but they were stricken from the new version that emerged from the Speaker’s office.

“The bill is all the worst parts” of the different cybersecurity bills negotiated in recent months, Nathan White, senior legislative manager for Access Now, told The Intercept. “It was negotiated in secret. … It’s a sneaky process they’ve used.”

Because of the last-minute timing, members of Congress “are not even going to know what they’re passing,” White said. “We don’t have time to get an informed vote, they’re pulling a fast one on the Senate.”

And the White House is reportedly on board. According to a leaked document published by Dustin Volz of Reuters, titled “Summary administration priorities for CISA”, the White House’s priorities line up with the new version of the bill — despite the fact that the administration threatened a veto over very similar legislation in 2013.

According to several technologists, information sharing isn’t a real solution to preventing cyberattacks. The best defense is better cyber hygiene. “When you’ve got an epidemic, the answer is you should be washing your hands every time you use the bathroom. It’s just not a sexy thing to say,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation, told The Intercept last January following President Obama’s State of the Union address, which focused heavily on cybersecurity.

Some opposition to the new bill has emerged among digital rights-supporting lawmakers and organizations, both Democratic and Republican. But they face off against the immensely powerful intelligence committees in the House and the Senate, congressional leadership, and the White House.

“Members of Congress are intentionally kept in dark so we don’t have time to rally opposition to particular measures,” Libertarian-leaning Rep. Justin Amash, R-Mich., wrote on Twitter.

Rep. Zoe Lofgren, D-Calif., warned that the bill would “accomplish little more than increased unwarranted surveillance of U.S. persons, sharing private information with prosecutors and feeding the NSA dragnet.”

“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today,” said Sen. Ron Wyden, D-Ore. “Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections,” Wyden wrote in a press release.

Overall, there was never much hope among the conservative groups. “We certainly would have liked more time to bring this issue to the attention of libertarians and conservatives. Unfortunately, the way the final bill was conferenced — keeping Chairman McCaul out of any substantive discussions and disregarding many of his concerns around the reconciliation process — moved it quicker than we anticipated,” wrote Ryan Hagemann of the Niskanen Center in an email to The Intercept.